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Filed s August 14, 2D01 



GroTip Art Unit; 2151 



Examiner; Fraat2 B. Jean 



For 



: METHODS AND APPARATDS FOR PROTECTING AGAINST 

OVhi-RLOAD CONDITIONS ON NODES OF A DT3TRIBUTED 
NETWORK 



lionoxable Commissioner ior Patents 
P.O. Box i4b0 

Alexandria, ViEr9inia 22313-1450 



DECttAR&TZQN rog£3ER 37 CFR 1.131 

Wfi, the undersigned, Yehuda Atek, Anat Bramlei: Bart and 

Dan Touitou, hereiby declare as follows: 

1) We aire the Applicants in th^ patent appl legation 
identified above, and are the inventoa;s of the subject matter 
de3C:fibed and claimed in claims 1-8, 10, 11, 13-16, 20, 3J, 35 
and 46-09 therein* 

2) We conceived our invention prior to September 28, 2000, 
in Isr^iel, a WTO country. We were then diligent in 
preparation of a provisional patent application covering the 
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invention during the period between September 28, 2000, and 
October 17, 2000, when the ptrovis l.onal patent application (US 
60/240,899) was filed. Ihe present patent application (US 
09/929,877) oiainis priority from this provisional patent 
application . 

3) AS evidence- of the conception of the, present invention, 
we attach hereto, as Exhibits A aiul B, parts of a draft of the 
present patent appl .i<::ation. These documents were prepared 
September 14, 2000, and Septeitiber 18, 20G0, respectively. 
(Proof of the dates of these documents, as well as otiher 
documenta cited herein, is attached hereto as Exhibit G in the 
form of a directory list.lng of the archive in which the 
documents were stored. The relevant files and dates in the 
archive are noted below.) 

4) The following tables show the correspondence between 
the independent claimts now pendinq in this eippllcatlon and 
Exhibits ^ and B. In view of this correspondence, it is clear 
that we conceived the claimed invention prior to September 28, 
2000. 



Claim 1 




A method of recponding \M an 
ove.i: load condition at a 
netiwork element ("victim") in 
a set of one ox more potential 
vict-Lins on a network 


Exhibit K -P^9^ paragraph i, 
^'NetGuard system is activated 
upon receiving alerrts of an 
attack* The system than focused 
on d^^lending only th&: victim (6) 
of the attac^k." 
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A, r^ssponsiveiy to an 
indication of an anomalous 
r.raffiG concittjon, initiating 
diversion of traffic deistined 
for the vicli.nl by a tirst set 
of one OX" more network 
elements external to the set 
of one or more potential 
vlc^tima to a second set of one 
or more network elements 
external to the set of one or 
more potential victims 


Exhlbrt A, page 1, paragrj^ph 4; 
'^At the time of the attack all 
tr&lfic to the server, which 15 
the vicLim of the attack, is 
navigated to the MetGuard. IhiE 
•'.a HnnA "hv eontlncr any traffic 

1 3 o.y lies ^ ' TJ / 

^sinq th<= victim put>llc a^ids&BS 
to Ner-GuardG. B&nce achieving 
our fi^st goc3l, that L3:af f Lc 

to the victim, from outside the 

network, and inside, the 

network, ±b redi.rt^cted to 

Net Guards . ^' 




the clement (3) of the 
second set filtering traffic 
diverted in step A ("divrerted 

jtj: 1 piT \ Rtid selectively 
passing a portion thereoi to 
the victim* 


Exhibit A, page Ir last 
paragraph ? ''The NetGuards 
machine, discriminates iDetween 
traffic to the victim r_hat is 
part of the attack, and genuine 
traff ic. The traffic of the 
attack would be blonked at 
NetGuards- Genuine traffic 
would be routed from the 
l^eLC^uards to the victim, using 
the victim pr-jvate AddrGsa." 



Claim 46 




A network element fOJt nse 
jn ptotecting E^gainst an 
overload condition on a 
network 


Exhibit A, page 1, paragraph li 
'^NetG-uard ^lystem is activated 
upon receiving alerts of an 
attack. Ihe. system than fgcuaed on 
def eliding only the victinUa) of 
the attack." 
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an input for: rGcelviug 
traffic diverted from the 
network^ the traffic 
comprisinq flowa of data 
packets havincf ircspective 
scarce addresses 


Exhibit A, page 1, pacaqraph 
'"At, the time of ttie attack all 
tralflc to the server, which is 
the victim of the atteick, is 
navigated, to the NetGuard. Thxs is 
done by routing any traffic using 
th^^ victim public address to 
MetCua^ds • " 

Exhibit tiection 1.1: ''It Is 
common (e.g-, in the Cisco 
convention) to define a network, 
flow by the f ol Lovziiig parameters: 
i. Soi"-f-f- I P addresB„.." 


e statistics module that 
Is arranged to perform a 
statistical analysis of 
the diverted traffic so as 
to detect an anomalous 
paLte^?-ti of a flow 
associated with at least 
one of the source 
addresses 


EJchibit section l..i.2i ''AttiaClt 
Analysis: Will be condncted during 
attack time and will be 
ree.pon3ible to compare the 
hlstor lea] 'ly collected 8tati£;tical 
data with the current traffic 
volume and generate rules foir 
traffic blockage* The output of 
this unit, in will 

1 n-F a 1 Ist of Item* for 
each of which three parameters 
will be provided: 
a. MetTtfork flow, identified by a 
combination of source IP addretss 
(can be prefi^ted), decstinarion IP 
address, destination port number, 
protocol typcv." 
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a inter, which ia 
operativfi^r jresponsively to 
cL^tection of the anomalous 
pattern, to block at least 
a portion of the data 
packets having the at. 
lejaat one of the sourc^e 
addres?3es 


Exhibit H, section 1.3, last 
paragraph: "The analysis will Joe 
based on. the statistical 
parameters of the- data and will 
aim at keeping the attacked 
d^^iirtai-.ion at normal loads by 
blocking the most ^ f^uapectccL" 
traffic streams^" 


au o\itput coupled to the 
:inpi3t for selectively 
passing on to fur ther 
elements in the network 
traffic not blocked hs^ the 
filter 


Exhibit page 1, last pa.i-agraph : 
'''The WetG\aard5 machine, 
Cilscr XEtl.l. natLes DSL-ween i_j-clj_i it,, 
the victim that part of the 
attack, and (^^nuine traffic. The 
traffic of the attack would be 
blocked 3t NotGuards* Genuine 
traffic would be routed from the 
NetGxiarda to the victim, u.?iiig the 
victim private addrBai^."^ 







A system .tor use in 
protc^Cting agaJ n.£?t an 
overload condition on a 
network 


Exhibit A, page 1, paragraph l! 
"NetGuard isy&tem Lb activated 
vipon r^^ceiving alerts of an 
attack. The i?ystem than focused 
on defending only the victim (js) 
of t.he attack. -"^ 


one or more network 
elements ( "guards^ ) 
disposed on tho network 


F.Jchibit A, page 1, paragraph 4: 
"At the time of the attack all 
traffic to the server, which is 
the victiit^ of the attack, is 
navigaLed to the NetGuard - " 
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an inpuL for receiving 
traffic from the network 


Exhibit Af page Ir paxagraph 4: 
''Thu-3 1^ done by irotiting any 
traff ic usinfj* the vlotini puhlxa 
addr&&s to NctGnards.'^ 


a i liter coupled to the 
input, the filter 
aelectively blocKiiK^" 
traffic: originating from a 

potentially causir^g t\i& 
overload condition 


Exhibit section 1.3, lasst 
paragraph! '"The analysis wil.l 
aim at keeping the attacic^^d 
destination at nnrmaJ loads by 
bloukinq the most sfuspect ed ' 
traffic streams."' 


a stat-istics module t.hat i-s 
coupled no the filter and 
that idontifies the trai.fic 
;statistic^^lly indicative of 
having o.t^igiT3ated fnom r_he 
so-u.Lce suspected a.^ 
potentially censing the 
overload condition 


Exhibit B, fsectlon l.'^.Pi 
'^AttiAck JRnalyjSis: will be 
conducted during attack time and 
wJ.ll be responsible to oompar^^- 
the hist-orically collected 
statistical dat^^ with Ihe current 
trafi 1.C voiane and QenEsiraLe riiles 
i!or traffic blockage. The output 
of this unit, in general^ will 
1 1- r\€ i=i list oi iteiti£ for 
each of which thtee parameterts 
will toe provided: 

a, Network flow, identified by a 
combination of source IP address 
(can be prefiixed) , destination IP 
address, destination port nuxT:)t>er, 
protocol type../' 
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an output coupled to the 
input for siielectively 
passing on to further 
element £3 in t.h<^. network 
traffic not ]::)lockca by the 
filter 


Ej<hibit Ar page 1, last 
paragraph: "The Net Guards 
machine, discriminatesi between 
traffic to the. vrct im unui- -^-^ 
part oE the attack, and qenuinf^ 
tralfic- The traffic of the 
attack would be blocked tit 
?i€^tCuards. Genuine traffic; would 
be jLO-uted from the Net Guards to 
the \/ictitn, uainq the victim 


one or more further network 
eierftents ( "dix/erters" ) 
disposed cn the network and 
in communication with the 
guards f the iurther network 
ei amenta selectively 
inita.atiiig> responsively to 
detection of an anomalous 
traftic condition, 
diversion t:o at; least one 
of the guards traffic 
othsLWise destined, for a 
still futther ner_work 
clement ("victim") in a 55et 
of one or more potential 
victims on the network 


Eschlblt A, page 1, "rour_ers-^ 
sjhown in the figure diverting 
traffic to ^'NetG-aards, as slated 
in paragraph 4 on page 1: ''At 
Lhe time of the attack all 
tta-fflc to the server, v^hich Is 
the victim of the attack, is 
navigated to the WetGuard - This 
i H/^-n*ii=' ■h\7 routina anv traffic 
using the vrictim pub] tc address 
to WetGuards. hience achieving 
OUT fi:c-at goaJ, that traffic to 
the victim, from oiitsid^ the 
network, and inside the network, 
is redirected to TSietGuards • " 
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Claim 56 




A method of ^^esponding to 
an overload condition at a 
network element ("victim") 
in a Hat of one or more 
potential victims on a 
network: 


Exhibit Af p&ge I, paragraph 1: ] 
"WetGuard system is activated 
upon receiving alerts of an 
attack. The syiJtem than focused 
on defending only the victim(B) 
of the attacl<:^" 


divetting to a g-uard 
machine traffic destined 
for the victim^ the traffic 
comprisiing flows of data 
packiets having respective 
sOurcG- add£r^ss6:s 


Exhibit A, page parac^r-iph 4: 
^'At. the time of the attack all 
traffic to th<:i server, which ii» 
the victim of the attack/ iS 
navigated to the ISletGuard, Thrs 
ii5 done by routing any traffic 
vising the viotlm public address 
to 'NetcSuarde-" 

Exhibit 3, section 1-1: ^'ft i3 

common (c,q., ir^ the Cisr.o 

convention) to define a network 

flow by the iol lowing paxame.terst 

ii. Source 1^ 
address../'' 
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performing a stat J sticaX 
analysis Of the diverted 
traffic at the guard 
tTiachiii*s: so as to detect an 
anomalo-Q3 pattern of a f i ow 
associated with at least 
one oi the soxirce addresses 


Exhibit B, section i . i . / ; 
''•At^tacfc 3^alysls; will be 
conducted during attack ti.m and 
will be responsible to compare 
the historically collected 
^statistical data with the current 
trafi;i<p volume and generate ruleft 
for traffic- blockage* Th^ output. 
of this unitf in general, will 
consist of a i^Lst or i-neni^s j-oi. 
oach of which three paxaweter^ 
wi.ll be provided: 

a- ^©twrk flow, identified by a 
combination of i^aurce IP addne^ii? 
(can be pref ixedl . destination TP 
addtess, destination pout mimber, 
protocol type../' 


a iilter, which is 
operative, responaiveiy to 
detection Of the anomalous? 
pattern, to block at least 
a portion of the data 
packets having the at least 
one of the source addresses 


Pvhi>il+- section 1»3^ last 
paragraph: "The analysis will be 
]:?a£^ed on the statistical 
paranieter? of the data and will 
aim at keeping the attacked 
<:ie3ti.nation at normal loads by 
biocko-ng the moat ' aspect cd ' 
traffic streams." 
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respOnsi vely Lo detecting 
the anoinalOus pattern^ 
preventing at least a 
portion of the data packets 
havd ng the at least one of 
the source addresses from 
ro^iching the victim while 
pasyjng to thft victim at 
i^ast some of the data 
packets from other f^ource 

addx eS3B£? 



RxhibiL A, page 1, last 
paragraph: ''The NetGuards 
machine f diacriminateci between 
traffic to the victim that rs 
part of the atitack, and genuine 
traffic. The traffic of the 
attack wo-uld be blocked at 
LietGu^irds. Genuine traffic, would 
be routed from the NetGuards to 
the victim/ using the vicLlm 



Claxm 66 




A method of jrespohding 
to an overload condition 
a.t a network element 
("victim") in a set of 
one or more poterxtial 
victims on a netwcjirk. 


Exhibit A, page 1, paragraph 1; 
•"IsIetGuard system is activa^ted upon 
receiving alert f3 of an attack. The 
; system than focused on de^f ending 
only the victlmCs) of the attack*" 


coupling the victim to 
receive traffic from tha 
network via a first port 
of a network switch 


Exhibit A, page 1: In the figure, 
the vxctim is coupled to receive 
traffic via one output of e router. 
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actuating the network 
switch to divert the 
traffic destined foL the 
victim to a second port 
to which a guaird machine 
is coupled 



:( lltex:in<^ f-he dlverted- 
traffic usinq the guard 
machine 



selectively passlncj at 
least a portion of the 
filtered traffic from 
the guard machine to the 
victim 



Exhibit page 1, paragr^iph 4: ^'At 
the time of the attac}<i all traffic 
to the is^rver, which Is the victim 
of the attack, is navigated to tiie. 
NetGuard, This is done by roiatirig 
^t)Y traffic using the victim public 
ciddre^^? to ^letGuardi^," The figure 
ghows that t.h€^ NetGi;iard i& cJoupT ed 
to a different pO^t- of the router 
from the victi.m. 



Exhibit pacje " 1^ lacit paragraph: 
^'Xho NetGiiards mach-ine, 
discriminates b^twcea traffic to the 
victlEi!! that 1^^ part of the attack, 
and genuine traf£ic* The traffic of 
the attack would be blocked cit 
FetGuards . " 



Exhibit A, page 1, iasr_ par agrfipti-. 
"The traftic of the attack would be 
blocked at NeLGuards. Genuine 
traffi<^ would be routed from th^ 
NetGuards to the victim, usinq the 
victim pri\rat& address." 



5) Duiting the pexiod between 3epten^ber 28 and October 17, 
we worked continuoualY e.nd diligently to revise and Buppiem^nt 
the material in the orlgina]. drafts in order to complete the 
provisional patent application that was subsequently filed, 
sonid. of the draJt documents that we prepared durincj this 
period are attached hereto as E^thibits C, D, E and F. These 
documents were completed, reispectivc.1 y, on September 29, 
October 2, October 9, and QCt:ob... 13, ^-000. We then 
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completed, and filed mir provisional patent application on 
October 17/ 2000. 

6) Exhibit G is directory listing of fhe, archive froici 
which Exhibits A-F were taken. The taW e below lists the file 
names and dates as they appear in Exhibit G: 



Exhibit 




Date 


A 




S^^pt ember 14, 20 00 


B 


Sta.t±stical-pateat4 . doc 


Sept@tt\ber IB, 2000 


c 


Copy ot net XX. doc 


September 29, 20 00 


p 


Attack Idcntif a-ccition.doc 


October 2r 2000 


E 


Staflsticai-patent-haiiocn;:) 


October 9, 2000 


¥ 


Mordi *ppt 


October 13, ^'Uuu 
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we hereby declare that all statements tirade herein of our 
own kriowlecige are true and that all statements made on 
information and belief arc believed to tirue; and furLhei. 
that th^se statements were made with LUe knowledge that 
Willful false statements ahd the like made are punishable 

by ±ine or Imprisotiivi^nt , or both, nnder St^ction 1001 of litle 
18 of r_lie United States Cod^ and that such willt^il fal.se 
statements may Jeopardize the val^xty at the application of 
any patent issued thei^^eon. 



Y^^huda Afck 
CiLisen of Israel 
Z6 Hacarrael Street 
tlod Ra Sharon 
I&raei 




An at Brtemle:? 
Citizen of TsraeJ 
17 Hashomron Street 
Ramat Hasharon 
Israel 



nate : 



Date: 



Dan Toaito-u 
Citizen of Israel 
21 Colani Street 
Kanat Gan 52224 

Tsrati] 

Date: 
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